Shortfalls in public sector data security: Human error, varying data security knowledge

SINGAPORE — Careless mistakes such as sending emails containing personal data to members of the public instead of hiding recipients in a blind carbon copy list.

That was one shortcoming in the public sector’s practices that compromised data security, which emerged during inspections by a high-level review committee.

Other risks included public sector staff with different levels of training in data protection, and inconsistent practices in the management of access rights.

The Public Sector Data Security Review committee, chaired by Senior Minister Teo Chee Hean, was convened in April this year to review and strengthen data security practices across the entire public sector.

As part of its review, it conducted a government-wide stocktake of data management practices, and in-depth inspections of key government agencies’ IT systems.

So far, the committee has completed inspections on five government agencies: The Ministry of Health (MOH), the Health Sciences Authority (HSA), the Health Promotion Board (HPB), the Central Provident Fund Board (CPFB) and the Inland Revenue Authority of Singapore's (Iras).

Other than human errors and inconsistent rights’ management, the review committee also found that there were insufficient policies governing data sharing between third parties and vendors, such as private sector firms which may require access to data to provide services.

The greater demand for data to provide convenient digital services, and the growing availability and use of analytics tools also increase the likelihood of data leaks, the committee noted.

In a media briefing on Monday (July 15), the Smart Nation and Digital Government Office (SNDGO) said that while the “current security regime has strong fundamentals”, there is a “need to strengthen our data security regime for the future”.

“This is in view of the increasing complexity of our systems, the greater demand for the use of data to provide convenient digital services to the public, and the need to use data for better policy making. The range of threats to data security has also increased,” said SNDGO.

To reduce these risks, the committee has come up with a list of 13 technical measures that public agencies can take to improve its data management practices.

They include applying password encryption on files and segregating highly sensitive information — such as one’s medical history of infectious diseases or bankruptcy information — from larger datasets.

There are also plans to standardise data security training across the board. More details of such plans, including how to regulate information-sharing with private sector vendors will be made known when the committee submits its final report to the Government in November this year.

The review committee was formed following a spate of data leaks and cybersecurity breaches over the past year.

This includes the SingHealth cyberattack, where hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.

In January this year, the HIV-positive status of 14,200 people – along with confidential information such as their identification numbers and contact details – were leaked online.